The regulations, which come into force on 25 May 2018, will transform how contractors store and manage personal data. Failure to comply with the new rules could see them face significant penalties of up to €20m, or four per cent of annual global turnover.

The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizen’s personal data, regardless of borders or where the data is processed.

An important factor is to ensure a company’s data processes protect the rights of individuals. Therefore an organised data protection programme will need to be established, with all data activities accurately recorded. This obligation extends to any third-party contractors or partners working with a business, and will present construction companies with much greater legal liability in the event of error.

A specific sector issue brings additional complications surrounding Joint Ventures, raising uncertainty around who is responsible for managing and protecting stored and shared consumer data. Sufficient GDPR protocols such as clear data sharing agreements must therefore be established by cooperative business entities in advance of undertaking projects.

Steve Snaith, technology risk assurance (TRA) partner at RSM, said: “In a growing digital economy, where data can be collected and stored within seconds, there is more risk of cyber security breaches, which was highlighted by the recent WannaCry ransomware attack. Therefore it’s increasingly important to make sure clear processes and safeguards are put in place to protect both clients and companies.

“Although GDPR is a welcome attempt to curb growing fears around how companies use and manage personal information, the new framework will drastically affect the future of stored personal data and increase company accountability. Construction businesses must make sure they are ready for what lies ahead and not get caught out, as the financial and reputational risk could be significant.”